IT Audit Explained: What's Actually Included and When Your Vietnamese Business Needs One
A comprehensive IT audit takes 2–3 hours on-site and typically uncovers 15–30 issues the business owner had no idea existed.
Last March, a 25-person architecture firm in Da Nang called us in to do a quick IT check before their annual tax audit. Two and a half hours later, we had found eight computers running unlicensed Windows copies, three machines with dormant malware signatures, and the entire CAD project archive sitting on a single external hard drive with no backup. No one in the office knew any of this existed — because no one had ever looked.
That's exactly what a proper IT audit is for: finding out where your systems are weak before those weaknesses become expensive problems.
What Is an IT Audit — and What It Isn't
The phrase "IT audit" gets used loosely. Let's be precise about what a professional IT assessment actually covers, because it's often confused with simpler tasks.
- Virus scan = running antivirus software on individual machines (30–60 minutes per machine)
- Financial audit = reviewing accounting records, invoices, and tax obligations
- IT audit (IT assessment) = a structured review of your entire technology infrastructure — hardware, software licenses, network configuration, backup processes, and user access controls
An IT audit is not about judging your business. It's about giving you an accurate, objective picture of your current IT health — including risks you haven't seen yet.
What's Actually Checked: The 6 Core Areas
Hardware Inventory and Lifecycle
Every physical device is catalogued: computers, printers, network equipment (routers, switches, modems), UPS units, and peripherals. Each device is assessed for age, condition, and whether it's still fit for purpose.
Red flags: computers over 5 years old running resource-heavy software, HDDs with early failure signs, overloaded switches causing network bottlenecks.
In Vietnamese SMB offices, it's common to find machines that are 6–8 years old still running core business applications. Hardware that old routinely has dead sectors, failing fans, and components that are one bad day away from data loss.
Software Licensing and Compliance
This is consistently the area that surprises business owners most. Many companies in Vietnam — even well-run ones — have lost track of exactly which software licenses they own, how many seats are active, and whether all installations are authorized.
In our assessments, we regularly find pirated copies of AutoCAD, Microsoft Office, and accounting software that were installed by employees without the owner's knowledge. This matters beyond the moral question: Vietnamese law (Luật Sở hữu trí tuệ) provides for both civil and criminal liability for commercial use of unlicensed software. During a tax authority inspection, unlicensed software can trigger separate penalties.
Security Assessment
A security review covers: firewall configuration, unnecessary open network ports, antivirus status and update currency, Windows Update policy, and password management practices.
Common findings in Da Nang offices: WiFi routers still using factory-default passwords (which are publicly listed online), Windows automatic updates disabled by a previous IT person to "save bandwidth," and admin passwords shared across multiple employees.
Network Infrastructure
We map the actual network: which devices connect to what, bandwidth to each endpoint, bottlenecks, WiFi coverage gaps, and whether sensitive systems (accounting, HR) are segmented from the general office network.
A common finding for businesses that have grown organically: switches daisy-chained in ways that halve effective bandwidth, or guest WiFi networks that aren't actually isolated from the internal file server.
Backup and Disaster Recovery
The single most important question in any IT audit: if you lost everything on your server tomorrow morning, how much data would you lose and how long would it take to get back to work?
Many Vietnamese SMBs have some form of backup — but haven't tested the restore process. We've seen businesses with three-month-old backups that turned out to be corrupted, and companies whose entire backup strategy was "email important files to yourself."
User Access Controls
This includes: checking whether accounts for former employees are still active (email, cloud services, accounting software), who has admin-level access to sensitive data, and whether there are any "ghost" accounts in the system.
In one recent assessment at a 32-person trading company, we found active Google Workspace accounts for four employees who had left over the previous 18 months — accounts with full access to company Drive folders containing contracts and customer data.
What the Output Looks Like: A Sample Report
After the on-site assessment, you receive a written report. Here's a representative extract (anonymized):
Extract — Trading company, 28 employees, Da Nang:
[HIGH RISK] 6 of 12 computers are running Windows 10 version 21H1, which reached end of security support in December 2022. These machines are no longer receiving security patches. Recommendation: update to Windows 10 22H2 or Windows 11 within 30 days.
[MEDIUM RISK] No automated backup solution found for the 3 accounting department computers. Current practice is manual copy to USB weekly. Recommendation: implement daily automated backup to NAS or cloud service.
[INFORMATION] 2 Google Workspace accounts belonging to former employees remain active with full access to company email and Drive. Recommendation: disable immediately.
A standard report includes:
- Full device inventory with estimated remaining lifespan
- Software map with license status for each application
- Vulnerability list prioritized by severity (High / Medium / Low)
- Specific action recommendations with suggested priority order
- Estimated cost to remediate each issue
5 Signs Your Vietnamese Business Needs an IT Audit Now
1. You're Preparing to Scale
Going from 15 to 40 employees puts pressure on infrastructure that was sized for a smaller team. An audit before you hire identifies exactly what needs to be upgraded — and prevents the common mistake of either over-buying or under-provisioning.
2. A Tax Audit or Legal Review Is Coming
Software compliance issues, improperly secured customer data, and inadequate record-keeping can all become legal problems during a tax authority inspection. Finding out before the auditors arrive is always cheaper than finding out during.
3. Your IT Person Just Left
When the person who managed your systems leaves, they take institutional knowledge with them — and sometimes more. An IT audit ensures no backdoors, no lingering privileged accounts, and no hidden configurations that could cause problems later.
4. You Just Had a Security Incident
If one machine got infected and spread to others, or if you suspect a data leak, an audit maps the full scope of the damage and identifies the root cause to prevent recurrence.
5. You're Applying for Cyber Insurance
Cyber insurance is becoming more common among Vietnamese companies working with international clients. Most insurers now require a third-party IT assessment as part of the underwriting process — a self-assessment generally isn't accepted.
IT Audit Costs in Vietnam: What to Expect
For a Vietnamese SMB with 15–50 employees, a professional on-site IT audit takes 2–4 hours on-site plus 1–2 business days for data processing and report preparation.
Typical market rates in Da Nang:
- 10–20 employees: 2–4 million VND (~$80–160 USD)
- 20–50 employees: 4–8 million VND (~$160–320 USD)
- Includes written report and a results presentation session
For context: a single AutoCAD license (legal) costs around 25–35 million VND (~$1,000–1,400 USD) annually. An audit that catches five unlicensed copies pays for itself many times over in avoided penalties alone.
Self-Assessment vs. Professional Audit vs. Automated Tools
| Criterion | Self-assessment | Professional IT audit | Automated monitoring tools |
|---|---|---|---|
| Cost | Free (internal labor) | 2–8M VND per engagement | 500K–2M VND/month |
| Accuracy | Low — internal blind spots | High — objective third party | Medium |
| Time required | 1–3 days | 2–4 hours on-site | Continuous (automated) |
| Accepted for tax/legal audit | No | Yes | Depends on tool |
| Detects pirated software | Difficult | Effective | Possible |
| Formal written report | No | Yes | Yes (limited) |
| Best suited for | Micro-businesses < 5 people | 10–200 employees | Ongoing monitoring after audit |
Vietify's Free IT Assessment: Scope and Conditions
Vietify offers a free IT health check for qualifying businesses in Da Nang:
- 5 to 100 employees
- Office located in Da Nang or within 30km
- No existing service contract with Vietify
The free assessment covers: hardware walkthrough, basic software licensing check (top 10 applications), fundamental security review, and a one-page summary report.
A full paid assessment covers all 6 areas with detailed reporting suitable for submission to auditors or insurers. You can also review the software compliance audit packages we offer separately.
There's no obligation to engage us for remediation — many clients take the report and handle items themselves or with their existing IT support.
Frequently Asked Questions
How long does an IT audit take, and will it disrupt our work?
For a 15–30 person office, the on-site portion takes 2–3 hours. Our technicians work alongside your staff — no machines need to be shut down, no work is interrupted. The best time to schedule is early morning or on a Saturday.
If you find pirated software, will you report us to authorities?
No. Everything found during an assessment is strictly confidential and exists only to help you fix problems. Our job is to give you an accurate picture and practical remediation options — not to create legal exposure. We'll recommend the most cost-effective path to getting compliant.
What's the difference between the free assessment and a paid one?
The free assessment identifies your biggest issues and gives you a prioritized overview. The full paid assessment covers all six areas in depth, produces a detailed report suitable for external use (auditors, insurers, investors), and includes a presentation session where we walk through findings and answer questions.
After the audit, are we required to use Vietify for the fixes?
No. The report is yours. You can fix items yourself, use another IT provider, or engage us — entirely your choice. We don't build in any lock-in. Many clients do choose to work with us on remediation simply because it's faster, but there's no obligation.
Next Steps
If your business hasn't had a formal IT review in the past 12 months — especially if you've had IT staff changes, a growth period, or any security incidents — now is a practical time to schedule one.
Book a free IT assessment or explore the IT health check services Vietify provides for Da Nang businesses.
Vietify IT Services — Professional IT for your business.
Chia sẻ bài viết
Cần tư vấn IT cho doanh nghiệp?
Vietify IT cung cấp Managed IT từ 4.990.000đ/tháng. Phản hồi trong 30 phút.
Bình luận
Đang tải bình luận…
Để lại bình luận
Cập nhật: 14/7/2026
